Privacy Policy

Last updated: March 2026

1. Data Controller (Impressum)

Angaben gemäß § 5 TMG

For questions about this Privacy Policy or your personal data, contact us at contact@animacycle.com.

2. Data Stored on Your Device

All health-related data is stored exclusively on your device and is never uploaded to our servers:

• Cycle dates and settings (cycle length, period length)
• Daily mood, energy, and symptom logs
• Journal entries
• Notification preferences
• Onboarding answers (goals, work style)

We have no access to this data. It remains on your device until you delete it.

Anima Cycle does not use Apple HealthKit and does not read from or write to the Health app.

3. Sensitive Health Data — No Sale, No Sharing

Anima Cycle collects menstrual cycle and reproductive health data. This data is stored exclusively on your device and is never:

• Sold to any third party
• Shared with advertisers or data brokers
• Used for targeted advertising
• Disclosed to law enforcement without a valid legal order
• Transferred to any server or cloud service

We are committed to protecting your reproductive health information. Your cycle data belongs to you alone.

4. Legal Basis for Processing (GDPR Art. 13)

We process your data on the following legal bases:

• Cycle and health data (Art. 6(1)(a) GDPR) — based on your explicit consent given during onboarding
• Special category health data (Art. 9(2)(a) GDPR) — based on your explicit consent given during onboarding
• Analytics (Art. 6(1)(a) GDPR) — based on your explicit opt-in consent during onboarding

5. Analytics (Optional)

If you opt in during onboarding, Anima Cycle uses PostHog to collect anonymous usage analytics — such as which features you use and how you navigate the app. This data is identified only by a random device ID (no name, email, or health data is ever included).

Legal basis: your explicit consent (Art. 6(1)(a) GDPR).

You can withdraw consent at any time in Settings → Privacy & Data.

PostHog's privacy policy: posthog.com/privacy

6. Third-Party Services

PostHog (analytics, opt-in only) — processes anonymous usage events on EU servers (Frankfurt, Germany). No other third-party SDKs receive your data.

No advertising SDKs, no tracking frameworks, no data brokers.

PostHog is a US-based company. Although your data is stored on EU servers, transfers to PostHog are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection.

7. Data Retention

Local data remains on your device until you delete it via "Reset all data" in Settings.

Anonymous analytics events (if opted in) are retained by PostHog for 12 months.

8. Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights:

• Right of access — you can view all your data directly in the app
• Right to erasure — delete all local data via Settings → Reset all data. To remove anonymous analytics, contact us at contact@animacycle.com
• Right to data portability — your health data is stored locally on your device and is always under your direct control. Analytics data held by PostHog is pseudonymous (random device ID only) and not linked to your identity, which limits portability in practice; you may contact us to request what we can provide
• Right to rectification — request correction of inaccurate personal data we hold (applies to analytics data; local health data can be edited directly in the app)
• Right to restriction of processing — request that we limit how we process your data in certain circumstances, e.g. while a dispute is being resolved
• Right to withdraw consent — opt out of analytics at any time in Settings → Privacy & Data
• Right to object — contact us at contact@animacycle.com
• Right to lodge a complaint — you have the right to lodge a complaint with your local supervisory authority

We do not hold your health data on our servers, so there is nothing to access or transfer from our side.

9. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority.

Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) — www.bfdi.bund.de

For other EU countries, please contact your national data protection authority.

10. California Residents (CCPA)

We do not sell personal information. California residents have the following rights under the California Consumer Privacy Act (CCPA):

• Right to notice — you have the right to know what categories of personal data are collected and for what purpose.
• Right to access / right to know — you may request information about the personal data we have collected about you in the past 12 months, including its sources, the business purpose, and any third parties with whom it is shared.
• Right to delete — you may request deletion of personal data we hold. Since all health data is stored locally on your device, you can delete it at any time via Settings → Reset all data. For analytics data (if opted in), contact us at contact@animacycle.com.
• Right to opt out of sale — we do not sell your personal data to any third party, under any circumstances.
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights. You will receive the same level of service regardless.

To exercise any of these rights, contact us at contact@animacycle.com. We will respond within 45 days.

11. Age Requirement

Anima Cycle is intended for users aged 18 and older. We do not knowingly collect data from users under 18 years of age.

12. Data Deletion

You can permanently delete all local data at any time using "Reset all data" in Settings. This action is irreversible.

13. Data Security

Your health data never leaves your device and is protected by your device's built-in security (encryption at rest, device passcode/biometrics). We do not have access to this data.

For server-side components (PostHog analytics, if opted in), all data is transmitted over encrypted connections (TLS) and stored on PostHog's EU servers in Frankfurt, Germany. We apply industry-standard security practices to any data we do process.

No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a personal data breach affecting PostHog analytics data, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33, and will inform affected users where required under Art. 34.

14. Business Transfer

If Anima Cycle is involved in a merger, acquisition, asset sale, or other business transfer, any analytics data we hold (anonymous usage events from opted-in users) may be transferred as part of that transaction. We will notify you via a notice within the app before such data becomes subject to a different privacy policy.

Your health data is stored exclusively on your device and is not part of any such transfer — we do not hold it on our servers.

15. Do Not Track (CalOPPA)

Anima Cycle does not track your activity across third-party websites or applications over time for advertising purposes. We do not respond to browser "Do Not Track" (DNT) signals, as we do not engage in the type of cross-site tracking that DNT is designed to address.

If you have opted in to analytics, you can withdraw consent at any time in Settings → Privacy & Data.

16. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated within the app. Where processing is based on your consent (e.g. analytics), material changes to how we process that data will require a fresh consent — continued use alone will not be sufficient.